Policies and Resources

IDENTITY AND ACCESS MANAGEMENT POLICY

Executive Summary

The purpose of Kayndrex’s Identity and Access Management Policy is to establish the requirements necessary to ensure that access to and application of its data base is managed in accordance with organisational requirements, information security, and other policies and procedures of the Foundation.

The Foundation’s Identity and Access Management Policy applies to individuals who are responsible for managing its data base access, and those granted access privileges, including special access privileges, to any data resource.

Policy

Access Control

• Access to the Foundation’s data base shall be justified by a legitimate organisational requirement prior to approval.
• Where multi-factor authentication is employed, applicant identification shall be verified in person before access is granted.
• The Foundation’s data base shall have a corresponding ownership responsibility identified and documented.
• Access to confidential information is based on a ‘need to know.’
• Confidential data access shall be logged.
• Access to the Foundation’s interface shall include a secure log-on procedure.
• Offices and systems shall impose an automatic freeze after a pre-determined period of inactivity.
• Documented operator access rights and privileges to the Foundation’s data base shall be included in recovery plans, whenever such data is excluded in reinforcements.

Account Management

• All personnel and stakeholders shall appreciate the Foundation’s Privacy Policy and Terms and Conditions before access is continued to an account or the Foundation’s data base.
  • Personnel accounts shall be created by Human Resources
    • Individuals shall receive an account after appropriate state and federal employment requirements are fulfilled including a personal history check.
    Member accounts shall be created following the admissions process
    • Firm records, applications, and communications with admissions staff over our stakeholder relationship management service shall confirm member’s identity prior to being admitted as a member. 
      • If identifiable information is inadequately provided, members shall show their government provided photo identification in person before being allowed to apply for any membership benefit.  
  • Members shall also have their ‘fee paid’ for enrolment prior to being given an account and allowed to register for programmes. 
• All accounts created shall have an associated and documented request and approval in our source of record system. 
• Segregation of duties shall exist among access request, access authorisation, and access administration.
• The Foundation is responsible for the approval of all access requests.
• Operator accounts and access rights for the Foundation’s data base shall be reviewed and reconciled annually, and actions shall be documented.
• All accounts shall be uniquely identifiable applying the operator’s name assigned by the Foundation’s IT and include verification that redundant operator IDs are unapplied.
• All accounts, including default accounts, shall have a password renewal and complexity that complies with the Foundation’s authentication standard.
• Only the level of access required to perform authorised obligations shall be approved, following the concept of ‘nominal privilege.’
• Whenever possible, access to data base should be granted to operator groups, rather than granted directly to individual accounts.
• Shared accounts shall be inapplicable. Where shared accounts are required, their application shall be documented and approved by the Foundation.
• Applicant account set up for third-party cloud computing applications applied for sharing, storing and/or transferring the Foundation’s confidential or internal information shall be approved by the Foundation and documented.
• Upon operator role changes, access rights shall be modified in a timely manner to reflect the new role.
• Creation of operator accounts and access right modifications shall be documented and/or logged.
• Any accounts that have had no access within a defined period of time shall be disabled.
• Accounts shall be disabled and/or deleted in a timely manner following employment termination, according to a documented personnel termination process.
• System Administrators or other designated personnel:
  • Are responsible for modifying and/or removing the accounts of individuals who change roles with the Foundation or are separated from their relationship with the Foundation.Shall have a documented process to modify an operator’s account to accommodate situations such as name changes, accounting changes, and permission changes.Shall have a documented process for periodically reviewing existing accounts for validity.Are subject to independent audit review.Shall provide a list of accounts for the systems they administer when requested by authorised Foundation’s IT management personnel.
  • Shall cooperate with authorised Foundation’s data security personnel investigating security events at the direction of the Foundation’s executive management.

Administrator/Special Access

• Administrative/Special access accounts shall have account management instructions, documentation, and authorisation.
• Personnel with Administrative/Special access accounts shall refrain from mismanagement of privilege and shall only perform the duties required to complete their employment function.
• Personnel with Administrative/Special access accounts shall apply the account privilege most appropriate with role being performed (i.e., applicant account vs. administrator account).
• Shared Administrative/Special access accounts should only be applied when no other option exists.
• The password for a shared Administrative/Special access account shall change when an individual with knowledge of the password changes roles, moves to another department or leaves the Foundation altogether.
• In the circumstance where a system has only one administrator, there shall be a password escrow procedure in place so that someone other than the administrator can gain access to the administrator account in an emergency situation.
• Special access accounts for internal or external audit, software development, software installation, or other defined need, shall be administered according to the Foundation’s authentication standard.

Authentication

• Personnel are required to maintain the confidentiality of personal authentication information. 
• Any group/shared authentication information shall be maintained solely among the authorised members of the group. 
• All passwords, including initial and/or temporary passwords, shall be constructed and implemented according to the following Kayndrex’s directives:
  • Shall satisfy all the requirements established in Kayndrex’s authentication standard, including length, complexity, and rotation requirements. Shall be technically related to the account owner by using things like operator name, nickname, relative’s names, birth date, etc. Should exclude common words, such as using dictionary words or acronyms.
  • Should be different from the same passwords as applied for business purposes.
• Password history shall be kept preventing the reapplication of passwords.
• Unique passwords should be applied for each system, whenever possible.
• Where other authentication mechanisms are applied (e.g., security tokens, smart cards, certificates, etc.) the authentication mechanism shall be assigned to an individual and physical or logical mechanism shall be in place to ensure only the intended account can apply the mechanism to gain access.
• Stored passwords are classified as confidential and shall be encrypted.
• All supplier-provided default passwords should be immediately updated, and unnecessary default accounts removed or disabled before installing a system on the interface.
• Operator account passwords shall be undivulged to anyone. The Foundation’s support personnel and/or contractors should never ask for operator account passwords.
• Security tokens (e.g., Smartcard) shall be returned on demand or upon termination of the relationship with the Foundation, if dispensed.
• If the security of a password is in doubt, the password should be changed immediately.
• Administrators/Special Access operators should use the Foundation’s authentication standard for the sake of ease of operation.
• Operators should apply password entry with embedded scripts or hard coded passwords in the Foundation’s software(s). Exceptions can be made for specific functions (like automated reinforcement) with the approval of the Foundation’s IT Management.
  • Application/website remembering is allowed for operators.
• If a password management system is employed, it should be applied in compliance with the Foundation’s authentication standard. 
• Computing devices left unattended shall enable a password protected screensaver or logging off of the device.
• The Foundation’s IT Support password change procedures shall include the following:
  • authenticate the operator to the support desk before changing password,change to a strong password,
  • require the operator to change password at first login.
• In the event that an operator’s password is compromised or discovered, the password should be immediately changed, and the security event reported to the Foundation’s IT support.

Remote Access

• All remote access connections to the Foundation’s interfaces will be made through the approved remote access methods employing data encryption and multi-factor authentication for administrative access rights.
• Remote operators can connect to the Foundation’s interfaces only after formal approval by the requestor’s manager or the Foundation’s Management.
• The ability to print or copy confidential information remotely shall be disabled.
• Operators granted remote access privileges shall be given remote access instructions and responsibilities.
• Remote access to the Foundation’s data base shall be logged.
• Remote sessions shall be terminated after a defined period of inactivity.
• A secure connection to another private interface is disallowed while connected to the Foundation’s interface, unless approved in advance by the Foundation’s IT management.
• Non-Kayndrex computer systems that require interface connectivity shall conform to all applicable IT standards as set out by the Foundation and shall be connected after prior written authorisation from IT Management. 
• Remote maintenance of organisational assets shall be approved, logged, and performed in a manner that prevents unauthorised access.  

Supplier Access

• Supplier access shall be uniquely identifiable and comply with all existing Kayndrex Foundation’s policies.
• External supplier access activity shall be monitored.
• All supplier maintenance equipment on the Foundation’s interface that connects to the external world via the system, telephone line, or leased line, and all data resource supplier accounts will remain disabled except when in application for authorised maintenance.

References

• Cyber Policy
• Privacy Policy
• Code of Conduct
• Event Management Policy
• Terms and Conditions

Waivers

Waivers from certain policy provisions can be sought.

Enforcement

Personnel found to have disregarded this policy shall be subject to disciplinary action, up to and including termination of employment, and related non-compliance penalties.